quote:In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities. ...Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to “high” by default.

I wonder how all these fixes play against the vulnerability in Java 7 update 11 revealed be security researcher Adam Gowdiak in his web posting on 27 Jan 2013, which indicated a significant vulnerability existed in Java allowing the Java Control Panel security setting to be bypassed for unsigned Java apps in a web browser. His disclosure is here: (SE-2012-01) An issue with new Java SE 7 security features...

quote:... What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above. Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with "Very High" Java Control Panel security settings.

44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers). In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets.

In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops). Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.

3 of the vulnerabilities fixed in this Critical Patch Update apply to client and server deployment of Java; that means that these vulnerabilities can be exploited on desktops through Java Web Start and Java applets in Browser, or in servers, by supplying malicious input to APIs in the vulnerable server components. In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source.

Finally, 2 of the vulnerabilities fixed in this Critical Patch Update only apply to server deployment of the Java Secure Socket Extension (JSSE).

Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to “high” by default.

I'm going to update, but I'm going to keep it disabled. Also going to check out the "safer alternative" you posted.]]>http://www.dslreports.com/forum/Re-Java-SE-7-update-13-Java-SE-6-update-39-27975606Sun, 03 Feb 2013 18:24:54 EDTRe: Java SE 7 update 13 / Java SE 6 update 39http://www.dslreports.com/forum/Re-Java-SE-7-update-13-Java-SE-6-update-39-27975170
in one article that i read, at "h-online", it was said that oracle said that they were going to be more diligent in patching java's security-holes, however i won't believe that until i see it..]]>http://www.dslreports.com/forum/Re-Java-SE-7-update-13-Java-SE-6-update-39-27975170Sun, 03 Feb 2013 15:48:13 EDTRe: Java SE 7 update 13 / Java SE 6 update 39http://www.dslreports.com/forum/Re-Java-SE-7-update-13-Java-SE-6-update-39-27975137
POV, as there are many others :D

I always use the offline installer as the offline installer never has the optional toolbar, and uninstall fully before installing the new versions (both X86 and 64-bit updates).

Ditto.--Remember that cool hidden "Graffiti Wall" here on BBR? After the name change I became the "owner", so to speak as it became: Dustyn's Wall »[Serious] RIP]]>http://www.dslreports.com/forum/Re-Java-SE-7-update-13-Java-SE-6-update-39-27971033Fri, 01 Feb 2013 21:35:23 EDTRe: Java SE 7 update 13 / Java SE 6 update 39http://www.dslreports.com/forum/Re-Java-SE-7-update-13-Java-SE-6-update-39-27970874
said by Dustyn:

Another one so soon?A little surprising coming from Oracle.Thanks! :)

said by Oracle.com :

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 50 new security fixes across Java SE products.

IE 10 reports successful installation of 32bit version but Microsoft says I should also install the 64bit update and that will break Java on IE 10 (at least it did for the last two updates). Microsoft says IE 10 desktop version on Win 8 is MOSTLY 64bit but not fully (whatever the heck that means) so you must install both versions of Java. That gives me a Java Panel with no way to auto check for new versions. The installations have to be done off line.

Plus, while java.com reports successful installation of the latest 32bit version on IE 10, and Win Patrol asked me about allowing it, IE 10 itself reports that I have an OLD version 7 from Jan 1 2013 when I look at IE Addons. I haven't tried to install the 64bit version yet.

I would just uninstall Java from IE but that can't be done fully. --When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 50 new security fixes across Java SE products.

Note: The original Critical Patch Update for Java SE  February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

This release includes important security fixes. Oracle strongly recommends that all Java SE 7 users upgrade to this release.